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Detecting and blocking malicious connections 

FIELD OF THE INVENTION 

The present invention relates to infomnation security and especially 
to securing a device having data communication capability. 

5 BACKGROUND OF THE INVENTION 

In data networks such as Internet, it is in practice mandatory to 
have information security measures in place in order to secure proprietary in- 
formation and to defend' against malicious intruders. 

An applet is a little application. On the Web (WWW, World Wide 

10 Web), using Java, the: object-oriented programming language, an applet is a 
small program that can be sent from a Web server along with a Web page to a 
user. Java applets can perfomi interactive animations, immediate calculations, 
or other simple tasks without having to send a user request back to the server. 
When a browser requests a Web page with applets, the applets are sent 

15 automatically and can be executed as soon as the page arrives in the browser. 
If the applet is allowed unlimited access to memory and system resources, it 
can do harm in the hands of someone with malicious intent. For the sake of 
security, applets are run in "a sandbox", where the applet has only limited ac- 
cess to system resources. The sandbox creates an environment in which there 

20 are strict limitations on what system resources the applet can request or ac- 
cess. Sandboxes are used when executable code comes from unknown or un- 
trusted sources and allow the user to run untrusted code safely. However, not 
all functionality of an applet can be denied even in sandbox. For example, an 
applet may need to open new outward connections towards the server they 

25 originated from. 

FTP is an example of commonly used transfer protocols, which 
consist of more than one separate connection. In such protocols, a first con- 
nection is opened and then at least one other connection is opened on the ba- 
sis of infomnation obtained from or transferred within the first connection. That 

30 is, some attributes, such as port numbers, of the other connection are negoti- 
ated within the first connection. These are herein referred to as a control con- 
nection (the first connection) and a related connection (the other connection). 
In FTP, the related connection is often called data connection. Such a related 
connection is always related to some control connection and does not exist 

35 alone in a sense that opening the related connection requires intervention of 
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the control connection. In addition, one related connection may be a control 
connection of another related connection. This concerns for example H.323 
protocol. In these protocols, the attributes of related connections usually 
change dynamically. For example it is usually not known beforehand to which 

5 port a related connection will be established. Also the direction in which a re- 
lated connection is opened may vary, 

A firewall is traditionally considered as a set of components forming 
a gateway between two or more networks, which have different security re- 
quirements. Thus, a firewall is a gateway which operates at the same time as 

10 a connector and a separator between the networks in a sense that the firewall 
keeps track of the traffic that passes through it from one network to another 
and restricts connections and packets that are defined as unwanted by the 
administrator of the system. A firewall can be also so called personal firewall, 
which sits in an individual device, which needs to be protected, and monitors 

15 only connections going in to or coming out from that device. The operation of 
such personal firewall is in principle similar to the operation of a gateway fire- 
wall. 

A firewall is configured by means of rules, which define which data 
packets are allowed to traverse the firewall and which are not. A rule com- 

20 prises information for identifying a data packet (e.g. source and destination 
addresses and ports) and an associated action, which may be for example to 
allow or deny the packet. A firewall may be a simple packet filter, which com- 
pares header fields of a data packet to the firewall rules and processes the 
data packet according to the rule, which matches the data packet. A more ad- 

25 vanced, stateful, firewall keeps track also on the state of different connections. 

In a stateful firewall for example an FTP data connection is allowed 
only if negotiation of such data connection is noticed within a legitimate control 
connection. Other protocols comprising of more than one connection are 
treated similarly to FTP connections in stateful firewalls. 

30 The use of protocols, which open related connections, creates vul- 

nerability in a device, which is running applets, irrespective of whether a fire- 
wall is protecting the device or not. Let consider following scenario for illustrat- 
ing this: 

- A Java applet is delivered to a client browser, 
35 - The Java applet acts as an FTP client and opens a control con- 

nection to the server. 
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- A data connection from the server to the client is negotiated for a 
port in which some other vulnerable service is running (previous experimenta- 
tion or even an educated guess can be used for finding out such port), 

- for an outside process, the data connection seems perfectly le- 
5 gitimate. since it was negotiated within a legitimate control connection, and 

thus it is allowed to traverse any firewall, either gateway or personal. 

Thus the server is allowed to open a connection to a port, where a 
vulnerable service is running. In some cases connections to ports below 1024 
are denied in a firewall, but plenty of vulnerable services can be found also in 

10 ports above 1024. 

One solution for tackling this vulnerability is to block all related con- 
nections. The disadvantage of this solution is that it blocks also all legitimate 
use of some important protocols. In many cases this is not a viable solution. In 
case of FTP blocking active FTP would help, but then not even legitimate ac- 

15 tive FTP connections would be allowed and still related connections associ- 
ated with other protocols could be exploited. (FTP connections are classified 
into passive^and active; in passive FTP the data connection is opened to the 
same direction with the control connection and in active FTP the data connec- 
tion is opened to the opposite direction with the control connection.)Another 

20 partial solution would be to monitor related connections and allow them only if 
data is going only in one direction. This would make malicious use of FTP 
more complex, since in legitimate FTP data connections data is going only in 
one direction, but it would not help in relation to protocols in which data is 
transferred bi-directionally in the related connections. And even FTP attacks 

25 would not be disabled by this solution, since past experience has proven that it 
is possible to craft an attack, which transmits data only to the target and does 
not require any return traffic. 

Thus, a new solution for tackling this problem is needed. 

30 SUMMARY OF THE INVENTION 

An object of the invention is to provide a new solution for securing a 
device having data communication capability and to mitigate the vulnerability 
discussed above. 

This object of the invention is achieved according to the invention 
35 as disclosed in the attached independent claims. Preferred embodiments of 
the invention are disclosed in the dependent claims. The features described in 
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one dependent claim may be further combined with features described in an- 
other dependent claim to produce further embodiments of the invention. 

The idea of the invention is to detect and block malicious related 
connections by examining relationship between a port negotiated for a related 

5 connection and the associated control connection and by deciding on the ba- 
sis on this relationship, whether the related connection shall be allowed. This 
relationship can concern, for example time elapsed between noticing negotia- 
tion of the related connection and opening the associated port. Alternatively 
the relationship may concern the process, which initiated the control connec- 

10 tion, and the process, which opened the port. Also other determinants of the 
relationship can be used according to the invention. Viable determinants are 
such that they indicate reasonably reliably legitimate use of related connec- 
tions. In this way, opening a malicious related connection to a port, which is 
used e.g. by some Vulnerable service, is prevented in most cases. 

15 According to the invention the method of securing a device having 

data communication capability comprises 

- dynamically detecting a control connection, which originates from 
said device, 

- noticing negotiation of a related connection within said control 
20 connection, said negotiation comprising at least defining a port of the device 

for said related connection, 

- checking if relationship between said port of the device and the 
control connection fulfills predefined criteria, and 

- conditionally blocking said related connection, if said port of the 
25 device does not fulfill said predefined criteria. 

According to an aspect of the invention said predefined criteria re- 
quires that said port of the device is opened within a predefined time window 
in relation to noticing negotiation of a related connection within said control 
connection. 

30 According to another aspect of the invention said predefined criteria 

requires that said control connection and said port of the device are opened by 
the same process family. 

The advantage of the invention is that it substantially decreases the 
vulnerability related to applets discussed above. 
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BRIEF DESCRIPTION OF THE DRAWINGS 

Various features of the invention, as well as the advantages offered 
thereby, are described hereinafter in more detail with reference to embodi- 
ments and aspect of the invention illustrated in the accompanying drawings, in 
5 which 

Figure 1 illustrates an example network configuration. 
Figure 2A is a flow chart illustrating an aspect of the method of the 
invention, and 

Figure 2B is a flow chart illustrating another aspect of the method of 
10 the invention. 

PREFERRED EMBODIMENTS OF THE INVENTION 

Figure 1 illustrates a simplified example network scenario, wherein 
the invention may be used. Therein a client device 101 is connected to the 
Internet 102 via a gateway firewall 100. The client device comprises some se- 

15 curity measure, which is used for monitoring data going in to and out from the 
device and which implements functionality of the invention. Such security 
measure may be for example a personal firewall. A server 103, which provides 
www-services, is also connected to the Internet 102. The client device 101 
may now^ connect to the server 103 via the gateway firewall 100 and request 

20 for a www-page containing an applet. The applet is conveyed to the client de- 
vice 101 along with the requested www-page, and the applet is automatically 
run in the client device. (That is, if applets are allowed in the client device.) 
The applet may open a new connection to the server without security meas- 
ures intervening in that. Also legitimate related connections can be opened to 

25 or from the client device. The gateway firewall 100 does not have means to 
detect a difference between a malicious related connection and a legitimate 
one, if there is an associated control connection, which seems to be legitimate. 
The only way to block malicious related connections in a gateway firewall or in 
a traditional personal firewall would be to block all related connections towards 

30 the client device 101 . But the functionality of the invention included in the client 
device 101 prevents opening malicious or suspicious related connections to 
the client and at the same time allows legitimate related connections to the cli- 
ent 

The invention can be employed in any device, which needs to be 
35 protected from malicious use of related connections. Physically the device is a 



computer hardware device combined with appropriate software to do the tasks 
assigned to it. Examples of such devices are desktop and laptop computers, 
PDAs (Personal Digital Assistant), mobile phones and smart phones. 

One logical place, where to implement the invention, is a personal 

5 firewall program, which is running in the client device and which monitors traf- 
fic from and towards the client. As personal firewall sits in the device, which 
needs to be protected, it has access to additional client specific information in 
comparison to a gateway firewall. Therefore it is well suited for conducting 
functionality of the invention. However, the invention can be included also in 

10 some other application or equally it can be implemented on its own. 

Figure 2A is a flow chart illustrating an aspect of the method of the 
invention. In step 200^ a control connection originating from the client device, 
in which the method of the invention is used, is detected. Then in step 201, it 
is noticed that a related connection is negotiated within that control connec- 

15 tion. As described above, negotiating a related connection comprises defining 
one of the ports of the client device for the related connection. In step 202, the 
relationship between the port negotiated for the related connection and the 
control connection is examined by checking, if the port was opened within a 
predefined time window in relation to noticing negotiation of the related con- 

20 nection. iThere are no restrictions for the duration of the time window, but a 
suitable value can be for example between 10 and 1000 seconds. If the port 
was opened within the time window, the related connection is allowed in step 
204 and in the opposite case the related connection is blocked in step 203. 
This implementation clearly requires that for each open port of the device the 

25 moment of time when the port was opened needs to be recorded. This is 
straightforward implementation detail for a man skilled in the art and thus not 
discussed any further herein. 

Figure 2B is a flow chart illustrating another aspect of the method of 
the invention. Steps 200 and 201 are herein equal to respective steps in Fig- 

30 ure 2A. But now the relationship between the port negotiated for the related 
connection and the control connection is examined by checking, if the same 
process family, which had opened the control connection, opened the port. In 
its simplest form process family may refer to only one process. In that case the 
method of the invention would simply check if the same process opened the 

35 control connection and the port. Another definition for a process family is that 
processes belong to the same family, if they have common parent process 
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from which they are inherited. In that case the method of the invention would 
check if the process, which opened the control connection, and the process, 
which opened the port, have a common parent process. Still other possibility is 
that the method of the invention would check if the process, which opened the 

5 control connection, is a parent process for the process, which opened the port. 
Also some other relationship between processes may be regarded as an indi- 
cator of processes belonging to the same process family. Comparisons of the 
processes can be done e.g. by means of process ID (PiD) values and parent 
process ID values (PPID). If the same process family opened the port, the re- 

10 lated connection is allowed in step 204 and in the opposite case the related 
connection is blocked in step 203. 

It needs to be understood that the network configuration of Figure 1 
and the usage scenarios of the invention described above are only examples, 
and that the invention can be employed in various other ways within the scope 

15 of the invention. 
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CLAIMS 

1 . A method of securing a device having data communication capa- 
bility, characterized by comprising 

- dynamically detecting (200) a control connection, which originates 
5 from said device, 

- noticing (201) negotiation of a related connection within said con- 
trol connection, said negotiation comprising at least defining a port of the de- 
vice for said related connection, 

- checking (202, 205) if relationship between said port of the device 
10 and the control connection fulfills predefined criteria, and 

- conditionally blocking (203) said related connection, if said port of 
the device does not fulfill said predefined criteria. 

2. A method according to claim 1 , characterized in that said prede- 
fined criteria requires that said port of the device is opened within a predefined 

15 time window in relation to noticing negotiation of a related connection within 
said control connection (202). 

3!! A method according to claim 1, characterized in that said prede- 
fined criteria requires that said control connection and said port of the device 
are opened by the same process family (205). 

20 4. A method according to claim 1 , characterized in that said device 

is running an applet. 

5. A method according to claim 4, characterized in that said con- 
trol connection originates from the applet. 

6. A device (101) having data communication capability, character- 
25 ized by comprising a module, which is adapted to 

- dynamically detect a control connection, which originates from 
said device (101), 

- notice negotiation of a related connection within said control con- 
nection, said negotiation comprising at least defining a port of the device for 

30 said related connection, 

- check if relationship between said port of the device and the con- 
trol connection fulfills predefined criteria, and 

- conditionally block said related connection, if said port of the de- 
vice does not fulfill said predefined criteria. 

35 7. A device (101) according to claim 6, charact rized in that said 

device is running an applet 
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8. A computer readable storage medium comprising a computer 
program tliat carries out the metliod according to any one of claims 1 to 5 
when executed by a computer. 

9. A computer program that carries out the method according to any 
one of claims 1 to 5 when executed by a computer. 

10. A computer program according to claim 9, characterized in that 
said computer program is included in a personal firewall product. 
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(57) ABSTRACT 

A method of securing a device having data communica- 
tion capability comprising dynamically detecting (200) a 
control connection, which originates from said device, no- 
ticing (201) negotiation of a related connection within said 
control connection, said negotiation comprising at least 
defining a port of the device for said related connection, 
checking (202) if relationship between said port of the de- 
vice and the control connection fulfills predefined criteria, 
and conditionally blocking (203) said related connection, if 
said port of the device does not fulfill said predefined crite- 
ria. The method can be used for suppressing a vulnerabil- 
ity related to applets. 

(Figure 2A) 
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